US11516186B1ActiveUtility

Offboard storage of non-sensitive objects for network-based hardware security modules

Assignee: AMAZON TECH INCPriority: Mar 4, 2020Filed: Mar 4, 2020Granted: Nov 29, 2022
Est. expiryMar 4, 2040(~13.6 yrs left)· nominal 20-yr term from priority
H04L 63/0428G06F 21/72G06F 21/6209H04L 63/0227H04L 9/3247G06F 16/289H04L 9/0877G06F 21/602H04L 9/0897H04L 9/0891
89
PatentIndex Score
7
Cited by
56
References
20
Claims

Abstract

A hardware security module (HSM) client processes a request to store data in a set of HSMs. The HSM client determines a property of the data indicative of a sensitivity classification of the data. As a result of determining the data lacks a classification as sensitive, the HSM client transmits the data to a data store outside the set of HSMs and updates a database used by the HSM client to associate an identifier of the data with a reference to a location in the data store.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented client-side method, comprising:
 obtaining, at a hardware security module (HSM) client, a request to store a data object in a set of HSMs, the request specifying a property of the data object indicative of the data object lacking a classification as sensitive; 
 determining, based on the specified property and by the HSM client, to store the data object outside the set of HSMs; 
 as a result of determining to store the data object outside the set of HSMs, transmitting, by the HSM client, the data object to a data store outside of the set of HSMs; and 
 updating a database used by the HSM client to associate an identifier of the data object with a reference to a location in the data store. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein the method further comprises:
 obtaining, at the HSM client, a second request to store a second data object in the set of HSMs, the second request specifying a property of the second data object; 
 determining, based on the specified property and by the HSM client, to store the second data object inside the set of HSMs; and 
 as a result of determining to store the second data object inside the set of HSMs, transmitting, by the HSM client, the second data object to an HSM of the set of HSMs. 
 
     
     
       3. The computer-implemented method of  claim 1 , wherein the method further comprises:
 obtaining, at the HSM client, a third request to store a third data object, the third request specifying the third data object as non-sensitive; 
 determining, based on a characteristic of the third data object, to store the third data object inside the set of HSM; and 
 as a result of determining to store the third data object inside the set of HSMs, transmitting, by the HSM client, the third data object to an HSM of the set of HSMs. 
 
     
     
       4. The computer-implemented method of  claim 1 , wherein the request specifies the property in metadata of the data object that indicates a data type corresponding to non-sensitive data. 
     
     
       5. A system, comprising:
 one or more processors; and 
 memory that stores computer-executable instructions that are executable by the one or more processors to cause the system to:
 obtain a request to store data in a cryptographic device, the request specifying a property of the data indicative of the data lacking a classification as sensitive; 
 determine, based on the specified property, to store the data outside the cryptographic device; and 
 transmit the data to a data store outside of the cryptographic device to fulfill the request. 
 
 
     
     
       6. The system of  claim 5 , wherein the computer-executable instructions include further instructions that, as a result of being executed by the one or more processors, further cause the system to update a database used by a client of the cryptographic device to associate an identifier of the data with a reference to an address in the data store. 
     
     
       7. The system of  claim 6 , wherein the computer-executable instructions that cause the system to obtain the request to store the data further include instructions that cause the system to obtain the request at a client of the cryptographic device. 
     
     
       8. The system of  claim 6 , wherein the computer-executable instructions that cause the system to determine to store the data outside the cryptographic device further include instructions that, when executed by the one or more processors, cause the system to determine to store the data outside the remote cryptographic device based on a field of metadata indicating a lack of a classification as sensitive. 
     
     
       9. The system of  claim 5 , wherein the computer-executable instructions that cause the system to obtain the request to store the data further include instructions that cause the system to obtain the request at an intermediary between the cryptographic device and a location to store the data. 
     
     
       10. The system of  claim 5 , wherein:
 the cryptographic device is a hardware security module (HSM); 
 the computer-executable instructions that cause the system to obtain the request to store the data further include instructions that cause the system to obtain the request at the HSM; and 
 the computer-executable instructions that cause the system to determine, based on the specified property, to store the data outside HSM further include instructions that cause the system to determine to store the data outside HSM at the HSM. 
 
     
     
       11. The system of  claim 5 , wherein the computer-executable instructions include further instructions that, when executed by the one or more processors, further cause the system to:
 obtain a third request to store a third data in a set of cryptographic devices, the third request specifying a property of the third data indicative of the third data including the classification as non-sensitive; 
 determine, based on the specified property and according to a policy, to store the third data inside the set of cryptographic devices, the policy indicating that the specified property corresponds to sensitive data; and 
 as a result of determining to store the third data inside the set of cryptographic devices, transmit the third data to a cryptographic device of the set of cryptographic devices. 
 
     
     
       12. The system of  claim 11 , wherein the request and the third request are of the same request type. 
     
     
       13. A set of non-transitory computer-readable storage media that stores executable instructions that, if executed by one or more processors of a computer system, cause the computer system to:
 obtain a communication to store a data object in a cryptographic device; 
 determine, based on data included in the communication, a classification of the data object as lacking sensitivity; 
 generate, based on the classification, a determination to store the data object outside of the cryptographic device; and 
 transmit the data object to be stored according to the determination. 
 
     
     
       14. The non-transitory computer-readable storage medium of  claim 13 , wherein the executable instructions further include instructions that, when executed by one or more processors of the computer system, further cause the computer system to:
 associate, in a database accessible to a plurality of hardware security module including the hardware security module, an identifier of the data object indicating a location of the data object. 
 
     
     
       15. The non-transitory computer-readable storage medium of  claim 14 , wherein the executable instructions further include instructions that, when executed by one or more processors of the computer system, further cause the computer system to:
 obtain a communication to retrieve the data object, the communication to retrieve the data object referring to the data object by the identifier; 
 determine the location of the data object, the location associated with the identifier as indicated by the database; and 
 access the data object from the determined location. 
 
     
     
       16. The non-transitory computer-readable storage medium of  claim 13 , wherein the executable instructions further include instructions that, when executed by one or more processors of the computer system, further cause the computer system to:
 reclassify the data object as sensitive based on a policy indicating that an obtained data object lacking a specification is to be classified as sensitive; 
 determine that the data object is to be moved from outside the cryptographic device to the cryptographic device in response to the data object being reclassified as sensitive; and 
 move the data object from outside the cryptographic device to the cryptographic device. 
 
     
     
       17. The non-transitory computer-readable storage medium of  claim 13 , wherein:
 the data object is classified as non-sensitive based on metadata included in the data object specifying the data object as non-sensitive; and 
 a destination to transmit the data object is determined to be a remote cryptographic device based on a rule set indicating that a category of data objects matching the data object are to be stored at the cryptographic device. 
 
     
     
       18. The non-transitory computer-readable storage medium of  claim 13 , wherein the data store is outside a private network, the private network including a computing device that generated the communication to store the data object in the cryptographic device. 
     
     
       19. The non-transitory computer-readable storage medium of  claim 13 , wherein:
 the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
 select, when the classification of the data object is sensitive, a cryptographic device of a cluster of cryptographic devices; and 
 update a database to include a location of where the data object is stored at the selected cryptographic device of the cluster, the database associating a plurality of data objects and corresponding storage locations at the cluster and outside the cluster; and 
 
 wherein transmitting the data object comprises transmitting the data object to the selected cryptographic device. 
 
     
     
       20. The non-transitory computer-readable storage medium of  claim 13 , wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
 receive a request indicating a modification to a sensitivity of the data object indicative of the data object comprising sensitive data; 
 access the data object at the data store; 
 transmit the data object to a hardware security module; and 
 remove the data object from the data store.

Join the waitlist — get patent alerts

Track US11516186B1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.